The diagrams below show how the Keyless SDK, which runs within your mobile app on the user’s device, interacts with your application server and with the Keyless network.
To enroll, your mobile app invokes the
enroll method from the Keyless SDK. With this method, the mobile device assists the user while capturing the biometric signal with the camera (Step 1). It then interacts with the Keyless network to generate a new user identifier (Keyless ID), which is then returned to your mobile app (Step 2). To complete enrollment, your mobile app sends the Keyless ID to your application server, which associates the identifier with the user’s account.
enroll method takes an optional enrollment challenge (parameter
enrollmentChallenge). If the caller specifies a challenge, then the callback method
enrollmentDidSucceed is invoked with a response to the enrollment challenge (
enrollmentResponse) at the end of the enrollment. This response is verified by the your application server in Step 3.
Authentication involves your application server, your mobile app, and the Keyless network, as depicted in Figure 2.
This process starts when the user performs an action that requires authentication using your mobile app (Step 1 in Figure 2). To this end, your app provides the details of this action to your application server, which generates a challenge. The challenge is sent to the mobile app, which uses the Keyless SDK to compute the corresponding authentication token using the
getAuthenticationToken method (Step 2).
At this point, the Keyless SDK authenticates the user. First, it captures the user’s biometrics using the mobile device’s camera (Step 3). Then, it connects to the Keyless network, and runs a secure multi-party computation protocol that authenticates the user and generates the authentication token in response to the challenge provided in Step 2. This is shown in Figure 2 as Step 4.
The Keyless SDK returns the authentication token to the mobile app. The app sends the token to your application server, which verifies it. If the authentication token is valid, the application server completes the transaction and notifies your mobile app (Step 6).
Account deletion is similar to authentication. First, your mobile application performs authentication steps 1-6, with which it authenticates and notifies your application server that the user wants to delete the account. Next, your mobile app invokes the
deEnroll method from the Keyless SDK. This method issues a deletion request to the Keyless network (Step 7). The request removes all data associated with the user from Keyless.